1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
batik (Emilio)
--
cacti (Abhijith PA)
NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
NOTE: 20200620: WIP (abhijith)
NOTE: 20200629: Working on the patch (abhijith)
NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh)
--
condor (Roberto C. Sánchez)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
--
curl (Thorsten Alteholz)
--
firefox-esr (Emilio)
--
freerdp
NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver)
--
glib-networking (Emilio)
--
gupnp
--
imagemagick (Markus Koschany)
NOTE: 20200622: Ongoing work
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
net-snmp
NOTE: 20200628: be aware of the ABI break introduced by the patches! (thorsten)
--
nginx
NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby)
--
opendmarc
NOTE: 20200621: testing package (thorsten)
--
openjpeg2 (Utkarsh Gupta)
--
python3.5 (Sylvain Beucler)
--
qemu (Utkarsh Gupta)
--
rails (Sylvain Beucler)
NOTE: 20200706: coordinating/reviewing stretch update with security and ruby teams
NOTE: 20200706: https://lists.debian.org/debian-lts/2020/06/msg00095.html
NOTE: 20200706: got regression claim but probably erroneous
NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00033.html
--
ruby-rack (Utkarsh Gupta)
NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten)
--
samba (Roberto C. Sánchez)
NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
--
shiro (Chris Lamb)
NOTE: 20200629: Taking this now as I did the last upload. (lamby)
NOTE: 20200701: CVE-2020-1957's patch should also be included for Stretch LTS. (utkarsh)
--
squid3 (Markus Koschany)
NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/
NOTE: 20200622: Patch for CVE-2019-12523 almost complete.
--
sympa
NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
--
tomcat8 (Markus Koschany)
NOTE: 20200701: CVE-2020-9484's patch should also be included for Stretch LTS. (utkarsh)
--
unbound
NOTE: 20200616: Package unsupported.
NOTE: 20200616: Not possible to update debian-security-support package in Jessie.
NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html (bam)
--
wpa (Abhijith PA)
--
xcftools
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200517: work is ongoing. (gladk)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
|